diff --git a/mail_to_misp.py b/mail_to_misp.py index f969e07..10b58c2 100755 --- a/mail_to_misp.py +++ b/mail_to_misp.py @@ -22,6 +22,7 @@ try: import socket import syslog import ftfy + import hashlib config = __import__(configfile) except ImportError as e: print("(!) Problem loading module:") @@ -127,6 +128,7 @@ internallist = config.internallist noidsflaglist = config.noidsflaglist ignorelist = config.ignorelist enforcewarninglist = config.enforcewarninglist +sighting = config.sighting removelist = config.removelist malwaretags = config.malwaretags dependingtags = config.dependingtags @@ -154,6 +156,10 @@ if debug: def init(url, key): return PyMISP(url, key, misp_verifycert, 'json', debug=None) +def sight(sighting, value): + if sighting: + d = {'value': value} + misp.set_sightings(d) # Evaluate classification tlp_tag = tlptag_default @@ -225,10 +231,13 @@ hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data) for h in hashlist_md5: misp.add_named_attribute(new_event, 'md5', h, to_ids=True, enforceWarninglist=enforcewarninglist) + sight(sighting, h) for h in hashlist_sha1: misp.add_named_attribute(new_event, 'sha1', h, to_ids=True, enforceWarninglist=enforcewarninglist) + sight(sighting, h) for h in hashlist_sha256: misp.add_named_attribute(new_event, 'sha256', h, to_ids=True, enforceWarninglist=enforcewarninglist) + sight(sighting, h) if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0): for tag in hash_only_tags: @@ -250,9 +259,11 @@ for entry in urllist: if domainname in internallist: misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0, enforceWarninglist=enforcewarninglist) + sight(sighting, entry) elif domainname in externallist: misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False, enforceWarninglist=enforcewarninglist) + sight(sighting, entry) else: comment = "" if (domainname in noidsflaglist) or (hostname in noidsflaglist): @@ -268,6 +279,7 @@ for entry in urllist: else: misp.add_named_attribute(new_event, 'url', entry, category='Network activity', to_ids=ids_flag, enforceWarninglist=enforcewarninglist) + sight(sighting, entry) if debug: syslog.syslog(hostname) try: @@ -280,9 +292,11 @@ for entry in urllist: if is_valid_ipv4_address(hostname): misp.add_named_attribute(new_event, 'ip-dst', hostname, comment=comment, category='Network activity', to_ids=False, enforceWarninglist=enforcewarninglist) + sight(sighting, hostname) else: misp.add_named_attribute(new_event, 'hostname', hostname, comment=comment, category='Network activity', to_ids=ids_flag, enforceWarninglist=enforcewarninglist) + sight(sighting, hostname) try: for rdata in dns.resolver.query(hostname, 'A'): if debug: @@ -290,6 +304,7 @@ for entry in urllist: misp.add_named_attribute(new_event, 'ip-dst', rdata.to_text(), comment=hostname, category='Network activity', to_ids=False, enforceWarninglist=enforcewarninglist) + sight(sighting, rdata.to_text()) except Exception as e: if debug: syslog.syslog(str(e)) @@ -307,6 +322,8 @@ if stdin_used: attachment = part.get_payload(decode=True) event_id = misp_event.id misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True) + file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest() + sight(sighting, file_hash) output.close() if debug: diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example index dc65c03..4e46df3 100644 --- a/mail_to_misp_config.py-example +++ b/mail_to_misp_config.py-example @@ -42,6 +42,9 @@ ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender # Ignore (don't add) attributes that are on server side warning list enforcewarninglist=True +# Add a sighting for each value +sighting=True + # Remove "[tags]", "Re: ", "Fwd: " from subject removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")